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September  10,  2012 

MEMORANDUM  FOR  DIRECTOR,  DEFENSE  COMMISSARY  AGENCY 

SUBJECT:  Quality  Control  Review  of  the  Defense  Commissary  Agency  Internal  Audit 
Function  (Report  No.  DODIG-2012-126) 

We  are  providing  this  report  for  your  infonnation  and  use.  We  have  reviewed  the 
Defense  Commissary  Agency  (DeCA)  Office  of  Internal  Audit  system  of  quality  control 
in  effect  for  the  period  ended  July  31,2011.  A  system  of  quality  control  for  DeC  A’s 
audit  organization  encompasses  the  audit  organization’s  leadership,  emphasis  on 
performing  high  quality  work,  and  policies  and  procedures  established  to  provide 
reasonable  assurance  of  compliance  with  generally  accepted  government  auditing 
standards  (GAGAS).  The  DeCA  Office  of  Internal  Audit  is  responsible  for  designing  a 
system  of  quality  control  and  complying  with  its  system  to  provide  DeCA  management 
with  reasonable  assurance  that  its  audits  are  performed  and  reported  on  in  accordance 
with  GAGAS  in  all  material  respects. 

Our  review  was  conducted  in  accordance  with  GAGAS  and  guidelines  established  by  the 
Council  of  the  Inspectors  General  on  Integrity  and  Efficiency.  We  tested  the  DeCA’s 
Office  of  Internal  Audit  organization’s  system  of  quality  control  to  the  extent  we 
considered  appropriate.  GAGAS  require  that  an  audit  organization  performing  audits  or 
attestation  engagements,  or  both,  in  accordance  with  GAGAS  have  an  appropriate 
internal  quality  control  system  in  place  and  undergo  an  external  quality  control  review  at 
least  once  every  3  years  by  reviewers  independent  of  the  audit  organization  being 
reviewed.  An  audit  organization’s  quality  control  policies  and  procedures  should  be 
appropriately  comprehensive  and  suitably  designed  to  provide  reasonable  assurance  that 
they  meet  GAGAS  requirements  for  quality  control. 

Federal  audit  organizations  can  receive  a  rating  of  pass,  pass  with  deficiencies,  or  fail.  In 
our  opinion,  the  DeCA  Office  of  Internal  Audit  organization’s  system  of  quality  control 
for  audits  was  suitably  designed  in  accordance  with  the  quality  standards  established  by 
GAGAS.  Accordingly,  we  are  issuing  a  pass  opinion  on  DeCA’s  Office  of  Internal  Audit 
organization’s  system  of  quality  control  for  the  review  period  ended  July  3 1,  201 1. 

Appendix  A  contains  background,  comments,  observations,  and  recommendations  for 
DeCA  Office  of  Internal  Audit  to  improve  its  quality  control  system.  Appendix  B 
contains  a  summary  of  the  results  of  our  interviews  with  the  DeCA  Office  of  Internal 
Audit  staff.  Appendix  C  contains  the  scope  and  methodology  of  the  review. 


We  appreciate  the  courtesies  extended  to  the  audit  staff.  For  additional  information  on 
this  report,  please  contact  Mr.  Robert  L.  Kienitz  at  (703)  604-8754  (DSN  664-8754). 


A  /W-o 

Carolyn  R.  Davis 
Assistant  Inspector  General 
for  Audit  Policy  and  Oversight 


Appendix  A.  Background,  Comments, 
Observations,  and  Recommendations 

Background 

Defense  Commissary  Agency 

The  Defense  Commissary  Agency  (DeCA),  established  on  October  1,  1991,  operates  a 
worldwide  chain  of  commissaries  in  13  countries  and  two  U.S.  territories,  providing 
groceries  to  military  personnel,  retirees,  and  their  families.  As  of  September  30,  2011, 
DeCA  had  248  stores  with  total  FY  2011  sales  of  $5.9  billion.  DeCA  is  headquartered  at 
Fort  Lee,  Virginia,  employs  approximately  17,000  employees,  and  serves  approximately 
12  million  customers. 

DeCA  Internal  Audit  Organization 

The  DeCA  Office  of  Internal  Audit,  an  independent  office  within  DeCA,  reports  directly 
to  the  Director  and  Chief  Executive  Officer,  DeCA.  It  provides  independent  and 
objective  internal  audit  services  through  an  appropriate  mix  of  performance,  compliance, 
and  financial  audits.  It  initiates  and  conducts  audits  relating  to  DeCA  programs  and 
operations,  and  reports  the  results.  The  office  consists  of  a  Director,  Deputy  Director 
(currently  vacant),  one  administrator,  and  eight  auditors.  During  our  review  period, 
DeCA  filled  the  vacant  director’s  position.  The  office  also  published  its  first  audit 
manual,  DeCA  Manual  90-5.1,  “DeCA  Internal  Audit  Manual,”  on  August  10,  201 1, 
implementing  generally  accepted  government  auditing  standards  (GAGAS). 

Comments,  Observations,  and  Recommendations 

We  are  issuing  a  pass  opinion  because  we  detennined  that  the  system  of  quality  control 
for  the  DeCA  Office  of  Internal  Audit  is  adequately  designed  and  functioning  as 
prescribed.  The  findings  we  identified  during  our  review  of  the  selected  audit  reports 
were  not  cumulatively  significant  enough  to  rise  to  the  level  of  deficiency  or  significant 
deficiency  based  on  our  opinion  and  as  defined  by  the  Council  of  the  Inspectors  General 
on  Integrity  and  Efficiency  Guide  for  Conducting  External  Peer  Reviews  of  the  Audit 
Organizations  of  Federal  Offices  of  Inspector  General. 

We  judgmentally  selected  four  reports1  to  review  for  compliance  with  GAGAS  in  nine 
areas:  quality  control,  independence,  professional  judgment,  competence,  audit 
planning,  supervision,  evidence,  audit  documentation,  and  reporting.  We  identified  five 
areas  with  findings  relating  to  quality  control,  independence,  audit  planning,  supervision, 
and  audit  documentation. 


1  One  of  the  four  reports,  misclassified  a  performance  audit,  was  actually  a  nonaudit  service.  GAGAS 
standards  do  not  cover  nonaudit  services,  except  for  evaluating  organizational  independence  when 
performing  such  a  service. 
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Quality  Control  System 

GAGAS,  version  2007,"  paragraph  3.52,  requires  each  audit  organization  to  document  its 
quality  control  procedures  and  communicate  those  procedures  to  its  personnel.  Our 
review  covered  the  period  August  1,  2009  to  July  31,  2011.  During  this  period,  the 
DeCA  Office  of  Internal  Audit  quality  control  system  consisted  of  a  draft  internal  audit 
manual. 

The  DeCA  Office  of  Internal  Audit  published  DeCA  Manual  (DeCAM)  90-5.1,  “DeCA 
Internal  Audit  Manual,”  on  August  10,  201 1.  Although  this  manual  was  published  10 
days  after  the  cutoff  of  our  review  period,  we  chose  to  review  it  to  detennine  whether  it 
adequately  implemented  GAGAS.  The  manual  did  not  contain  a  section  implementing 
GAGAS  general  standards  of  independence,  professional  judgment,  competence,  and 
quality  control  and  assurance. 

The  manual  also  lacked  policies  and  procedures  for  performing  nonaudit  services.  One 
of  the  reports  we  reviewed  was  a  nonaudit  service;  however,  documentation  contained  in 
the  project  revealed  confusion  on  the  auditors’  part  as  to  whether  this  project  was  a 
perfonnance  audit  or  a  nonaudit  service.  For  example,  the  project  review  plan  stated  that 
this  was  an  audit  and  the  Independent  Reference  Review  certification,  signed  by  the 
Auditor-in-Charge,  the  Independent  Reference  Reviewer,  and  the  Audit  Manager,  stated 
that  this  audit  was  done  in  compliance  with  GAGAS.  However,  the  final  report  did  not 
contain  a  statement  that  the  project  was  done  in  compliance  with  GAGAS,  which  was 
correct  for  a  nonaudit  service.  Without  proper  policies  and  procedures,  auditors  had 
difficulty  determining  the  type  of  project  they  were  perfonning. 

Recommendations,  Management  Comments,  and  Our 
Response 

Recommendations 

We  recommend  that  the  Director,  DeCA: 

1.  Revise  DeCAM  90-5.1,  “DeCA  Internal  Audit  Manual,”  to  include  a  section 
to  fully  implement  the  independence,  professional  judgment,  competence, 
and  quality  control  and  assurance  standards  contained  in  the  general 
standards  section  of  GAGAS. 

Management  Comments 

The  Director,  DeCA  concurred.  The  DeCA  Internal  Audit  Manual  (DeCAM  90-5. 1)  has 
been  revised  to  include  sections  on  independence,  professional  judgment,  competence, 
and  quality  control. 


2  The  newest  version  of  GAGAS  is  dated  December  2011.  However,  for  this  review,  we  were  required  to 
use  the  July  2007  version  of  GAGAS,  as  it  covered  the  period  of  our  review,  August  1,  2009  to  July  31, 


2011. 
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Our  Response 

The  Director,  DeCA  comments  were  responsive  and  the  actions  meet  the  intent  of  the 
recommendation. 

2.  Revise  DeCAM  90-5.1,  “DeCA  Internal  Audit  Manual,”  to  include  guidance 
on  the  performance  of  nonaudit  services. 

Management  Comments 

The  Director,  DeCA  concurred.  The  DeCA  Internal  Audit  Manual  (DeCAM  90-5.1)  has 
been  revised  to  include  a  section  on  nonaudit  services. 

Our  Response 

The  Director,  DeCA  comments  were  responsive  and  the  actions  meet  the  intent  of  the 
recommendation. 

Independence 

Personal  Independence 

Two  of  the  projects  reviewed  did  not  contain  personal  independence  statements. 

GAGAS,  version  2007,  paragraph  3.08.f,  requires  audit  organizations  to  maintain 
documentation  of  the  steps  taken  to  identify  potential  impairments  to  personal 
independence.  The  DeCA  Office  of  Internal  Audit  required  all  audit  staff  to  complete  an 
annual  independence  statement  and  file  the  statements  in  quasi-official  personnel  folders 
held  by  the  office  administrator.  However,  not  all  project  folders  contained  a  copy  of 
these  independence  statements.  Because  some  projects  did  not  contain  the  required 
statements,  external  reviewers  had  to  determine  the  independence  of  all  auditors  assigned 
to  each  project.  At  the  time  of  our  site  visit  in  January  2012,  a  new  policy  was  in  effect  at 
the  DeCA  Office  of  Internal  Audit  to  create  a  new  independence  statement  for  each  new 
project  and  place  that  statement  in  the  project  documentation;  therefore,  we  have  no 
recommendations . 

Organizational  Independence 

DeCA  Office  of  Internal  Audit  perfonned  two  nonaudit  service  projects  during  the  period 
of  our  review.  The  files  for  the  projects  titled  “Value  of  the  Commissary  Benefit  Study” 
and  “Vendor  Credit  Memorandum,  Little  Creek  Commissary”  did  not  contain  the 
required  documented  analysis  showing  that  providing  this  service  would  not  impair  the 
DeCA  Office  of  Internal  Audit’s  organizational  independence.  GAGAS,  version  2007, 
paragraph  1 .34,  states  that  audit  organizations  that  provide  nonaudit  services  must 
evaluate  whether  providing  nonaudit  services  creates  an  independence  impairment  either 
in  fact  or  appearance  with  respect  to  the  entities  they  audit.  Further,  GAGAS,  version 
2007,  paragraph  3. 30. a,  states  that  the  audit  organization  should  document  its 
consideration  of  nonaudit  services,  including  its  conclusions  about  the  impact  on 
independence.  This  evaluation  should  always  be  perfonned  when  the  decision  is  made  to 
perfonn  a  nonaudit  service  to  ensure  the  consideration  of  potential  for  an  independence 
impainnent.  Although  the  DeCA  Office  of  Internal  Audit  draft  internal  audit  manual  did 
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not  contain  guidance  on  the  performance  of  nonaudit  services,  we  did  not  identify  any 
organizational  independence  impairment  issues. 

Recommendations,  Management  Comments,  and  Our 
Response 

Recommendations 

We  recommend  the  Director,  DeCA: 

3.  Revise  DeCAM  90-5.1,  “Internal  Audit  Manual,”  to  include  guidance  on  how 
to  evaluate  and  document  organizational  independence  when  deciding 
whether  to  perform  a  nonaudit  service. 

Management  Comments 

The  Director,  DeCA  concurred.  The  DeCA  Internal  Audit  Manual  (DeCAM  90-5.1)  has 
been  revised  to  include  guidance  on  evaluating  and  documenting  organizational 
independence  when  determining  to  perform  a  nonaudit  service. 

Our  Response 

The  Director,  DeCA  comments  were  responsive  and  the  actions  meet  the  intent  of  the 
recommendation. 

4.  Ensure  that  the  files  of  any  future  nonaudit  service  performed  by  the  DeCA 
Office  of  Internal  Audit  contain  the  required  documented  evaluation 
concerning  organizational  independence. 

Management  Comments 

The  Director,  DeCA  concurred.  DeCA  Office  of  Internal  Audit  created  a  nonaudit 
service  statement  that  is  to  be  completed  by  the  auditors  and  filed  in  the  project. 

Our  Response 

The  Director,  DeCA  comments  were  responsive  and  the  actions  meet  the  intent  of  the 
recommendation. 

Audit  Planning 

Two  of  the  projects  we  reviewed  had  audit  planning  issues.  GAGAS,  version  2007, 
paragraph  7.1 1,  states  that  auditors  should  assess  audit  risks  that  are  significant  within  the 
context  of  the  audit  objective  by  gaining  an  understanding  of  the  following: 

•  the  nature  and  profile  of  the  programs  and  the  needs  of  potential  users  of  the  audit 
report, 

•  internal  control  as  it  relates  to  the  specific  objectives  and  scope  of  the  audit,  and 
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•  information  systems  controls  for  assessing  audit  risk  and  planning  the  audit. 

Further,  GAGAS,  version  2007,  paragraph  7.30,  requires  auditors  to  assess  risks  of  fraud 
occurring  that  are  significant  within  the  context  of  the  audit  objectives. 

For  the  “Front-End  Operations  Fraud  Indicators”  audit,  we  did  not  identify  any  working 
papers  supporting  that  an  assessment  of  audit  risks  was  perfonned.  Specifically,  no 
support  existed  that  the  auditors  gained  an  understanding  of  the  nature  and  profile  of  the 
programs  and  needs  of  potential  users,  internal  control,  and  the  information  systems 
controls.  Assessing  audit  risks  provides  auditors  reasonable  assurance  that  the  evidence 
they  obtain  is  sufficient  and  appropriate  to  support  their  findings  and  conclusions. 

The  DeCA  auditors  did  not  perfonn  fraud  risk  assessments  for  the  “Front-End  Operations 
Fraud  Indicators”  and  “Equipment  Installation  on  New  Construction,  Additions  and 
Alterations”  audits.  For  example,  for  the  “Front-End  Operations  Fraud  Indicators”  audit, 
the  audit  guide  documented  the  following  as  one  of  the  audit  objectives:  “the  audit  will 
focus  on  ensuring  that  controls  are  in  place  and  operating  as  intended  to  help  mitigate 
fraudulent  activities.”  However,  there  were  no  working  papers  supporting  that  a  fraud 
risk  assessment  was  performed  for  this  audit. 

Recommendation,  Management  Comments,  and  Our 
Response 

Recommendation 

5.  We  recommend  that  the  Director,  DeCA  ensure  that  auditors  perform  and 
document  assessments  of  audit  risks  and  fraud  risks. 

Management  Comments 

The  Director,  DeCA  concurred.  The  DeCA  Office  of  Internal  Audit  created  mandatory 
steps  within  the  TeamMate  template  for  all  auditors  to  evaluate  audit  and  fraud  risks. 

Our  Response 

The  Director,  DeCA  comments  were  responsive  and  the  actions  meet  the  intent  of  the 
recommendation. 

Supervision 

One  project  reviewed  lacked  adequate  documentation  of  supervision.  GAGAS,  version 
2007,  paragraph  7.80c,  states  that  auditors  should  document  evidence  of  supervisory 
review,  before  the  audit  report  is  issued,  for  the  work  performed  that  supports  findings, 
conclusions,  and  recommendations  contained  in  the  audit  report. 

For  the  “Front-End  Operations  Fraud  Indicators”  audit,  only  1  of  the  24  working  papers 
prepared  by  the  auditors  was  evidenced  as  reviewed  by  a  supervisor.  Twenty-two  of  the 
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working  papers  were  shown  as  “In  Progress,”  and  1  was  shown  as  “Prepared”  in 
Team  Mate’.  Seven  of  the  working  papers  not  evidenced  as  reviewed  by  a  supervisor 
supported  the  findings,  conclusions,  and  recommendations  in  the  report. 


Recommendations,  Management  Comments,  and  Our 
Response 

Recommendation 


6.  We  recommend  that  the  Director,  DeCA,  provide  training  on  documenting 
supervision  to  all  individuals  who  supervise  audit  projects  and  on  signing 
working  papers  and  reports. 

Management  Comments 

The  Director,  DeCA  concurred.  The  DeCA  Office  of  Internal  Audit  has  completed 
training  on  the  use  of  TeamMate  thus  improving  oversight. 

Our  Response 

The  Director,  DeCA  comments  were  responsive  and  the  actions  meet  the  intent  of  the 
recommendation. 

Audit  Documentation 

All  projects  reviewed  had  issues  with  the  adequacy  of  audit  documentation.  GAGAS, 
version  2007,  paragraph  7.77,  states: 

Auditors  should  prepare  audit  documentation  in  sufficient  detail  to  enable  an 
experienced  auditor,  having  no  previous  connection  to  the  audit,  to  understand 
from  the  audit  documentation  the  nature,  timing,  extent,  and  results  of  audit 
procedures  performed,  the  audit  evidence  obtained  and  its  source  and  the 
conclusions  reached,  including  evidence  that  supports  the  auditors’  significant 
judgments  and  conclusions. 

Further,  GAGAS,  version  2007,  paragraph  7.80.b,  requires  documented  evidence  of  work 
perfonned. 

For  the  “Review  of  Wrongfully  Terminated  Associate’s  Medical  Expenses”  audit,  the 
term  “N/A”  (not  applicable)  was  documented  in  the  Scope,  Results,  and  Conclusion 
sections  for  three  individual  working  papers.  For  the  Scope  section,  we  would  expect  to 
see  the  specific  time  frame  reviewed.  In  addition,  for  the  Results  and  Conclusion  section, 
we  would  expect  to  see  the  results  for  the  review  of  prior  audit  coverage  and  whether  this 
would  be  incorporated  into  the  preparation  of  the  audit  program. 


3  TeamMate  is  the  electronic  audit  management  system  that  DeCA  Office  of  Internal  Audit  uses  to  prepare 
and  store  their  working  papers,  findings,  documentation  supporting  analysis  and  conclusions,  and  audit 
reports.  Additional  TeamMate  information  can  be  found  at  www.cchteammate.com. 
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For  the  “Front-End  Operations  Fraud  Indicators”  audit,  the  Source  was  not  documented 
for  1 1  individual  working  papers,  the  Conclusion  was  not  documented  for  five  individual 
working  papers,  and  the  Results/Discussion  was  not  documented  for  two  individual 
working  papers.  These  working  papers  supported  the  findings,  conclusions,  and 
recommendations  in  the  report.  For  example,  one  of  the  working  papers  prepared  by  the 
auditors  was  to  document  the  infonnation  systems  used  by  DeCA  to  process  data. 

Finally,  22  working  papers  were  created  by  the  auditor  but  were  not  signed  off  as 
completed.  Seven  of  those  working  papers  support  the  report.  Examples  include  the 
working  papers  prepared  documenting  the  review  and  analysis  of  coupon  acceptance  and 
redemption  activities  at  the  four  commissaries  visited  by  the  audit  team. 

For  the  “Equipment  Installation  on  New  Construction,  Additions  and  Alterations”  audit, 
the  project  documentation  was  lacking  sufficient  detail  for  another  auditor  to  perfonn  the 
steps  and  come  to  the  same  conclusion.  For  example,  a  client-provided  spreadsheet  was 
compared  to  an  online  database  for  accuracy;  however,  no  evidence,  such  as  screen  shots, 
of  the  online  database  was  documented  to  validate  the  accuracy  of  the  data  in  the 
spreadsheet,  and  because  the  database  changes  on  a  daily  basis,  it  could  not  be  recreated 
for  the  moment  that  it  was  used  for  validation.  In  addition,  cross  referencing  throughout 
the  project  could  have  been  better  to  allow  another  auditor  to  easily  follow  the  work 
performed. 

Recommendation,  Management  Comments,  and  Our 
Response 

Recommendation 

7.  We  recommend  that  the  Director,  DeCA,  provide  training  on  audit 
documentation,  cross  referencing,  and  use  of  TeamMate. 

Management  Comments 

The  Director,  DeCA  concurred.  The  DeCA  Office  of  Internal  Audit  auditors  completed 
training  on  audit  documentation,  cross  referencing,  and  in  the  use  of  the  TeamMate 
software. 

Our  Response 

The  Director,  DeCA  comments  were  responsive  and  the  actions  meet  the  intent  of  the 
recommendation. 
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Appendix  B.  Summary  of  Interview  Results 
Relating  to  DeCA  Audit  Policies  and  GAGAS 


We  interviewed  the  DeCA  Office  of  Internal  Audit  Director  and  eight  DeCA  staff 
members  to  detennine  their  knowledge  of  DeCA  audit  policies  and  GAGAS.  The 
interviews  consisted  of  questions  related  to  the  DeCA  Office  of  Internal  Audit  policies 
and  GAGAS  fieldwork  and  reporting  standards.  A  summary  of  the  results  of  the 
responses  received  follows: 


Areas  Pertaining  to  DeCA  Office  of  Internal 
Audit  Policies  and  GAGAS  Standards 

Staff  Responses  to  Questions 

1 .  Awareness  of  DeCA  Office  of  Internal 
Audit  Policies 

All  staff  were  aware  of  the  audit  policies. 

2.  Compliance  with  GAGAS 

Most  staff  stated  that  their  work  complied  with 
GAGAS  standards. 

3.  Independence 

All  staff  stated  that  they  did  not  encounter  any 
external  or  organizational  independence 
impairments  when  performing  their  work. 

All  staff  stated  that  they  did  not  perform  any 
nonaudit  services  that  could  impact 
independence. 

4.  Competence 

Staff  responses  indicated  that  the  competency 
requirement  was  fulfilled. 

5.  Quality  Control  and  Assurance 

Depending  on  the  years  of  auditing  experience 
and  length  of  employment  at  the  DeCA  Office 
of  Internal  Audit,  answers  varied  from 
extensive  to  minimal  understanding  of  quality 
control  procedures. 

6.  Planning  (Key  Decisions) 

Staff  involved  with  audit  planning  documented 
key  planning  decisions  and  communicated  with 
the  client  throughout  the  planning  phase. 

7.  Planning  (Fraud) 

Most  staff  stated  that  risk  assessments  were  not 
consistently  performed  before  DeCA  Manual 
90-5.1  was  published  in  August  2011.  DeCA 
Manual  90-5.1  requires  risk  assessments  to  be 
performed  for  each  audit. 

8.  Supervision 

All  staff  stated  that  they  received  or  provided 
adequate  supervision. 

9.  Audit  Documentation 

Staff  provided  examples  of  activities  to  show 
that  audit  reports  are  properly  supported. 

10.  Evidence 

Staff  provided  examples  to  show  that  audit 
evidence  is  supported  in  the  final  audit  report. 

11.  Reporting  (Timeliness) 

The  staff  provided  examples  of  activities  to 
show  that  information  provided  in  reports  are 
current  and  relevant. 
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Appendix  C.  Scope  and  Methodology 

We  reviewed  the  adequacy  of  the  DeCA’s  Office  of  Internal  Audit  compliance  with 
quality  policies,  procedures,  and  standards.  In  performing  our  review,  we  considered  the 
requirements  of  quality  control  standards  contained  in  the  July  2007  Revision  of  GAGAS 
issued  by  the  Comptroller  General  of  the  United  States.  GAGAS  3.56  states: 

The  audit  organization  should  obtain  an  external  peer  review  sufficient  in  scope 
to  provide  a  reasonable  basis  for  determining  whether  the  audit  organization  is 
complying  with  its  quality  control  system  in  order  to  provide  the  audit 
organization  with  reasonable  assurance  of  conforming  with  applicable 
professional  standards. 

We  perfonned  this  review  from  August  2011  to  June  2012  in  accordance  with  standards 
and  guidelines  established  in  the  March  2009  Council  of  the  Inspectors  Generals  on 
Integrity  and  Efficiency  Guide  for  Conducting  External  Peer  Reviews  of  the  Audit 
Organizations  of  Federal  Offices  of  Inspector  General.  In  perfonning  this  review,  we 
assessed,  reviewed,  and  evaluated  audit  documentation,  interviewed  DeCA  Office  of 
Internal  Audit  auditors,  and  reviewed  DeCA  Office  of  Internal  Audit  internal  policies  that 
were  officially  published  on  August  10,  201 1. 

We  judgmentally  selected  four  audit  reports  from  a  universe  of  14  reports  issued  by  the 
Office  of  Internal  Audit  during  the  period  of  August  1 ,  2009  to  July  31,2011.  In 
selecting  reports,  we  worked  with  the  DeCA  Office  of  Internal  Audit  to  establish  the 
universe  of  reports  that  were  issued  during  the  review  period.  We  then  selected  audits 
that  were  more  recent  to  review  the  most  current  quality  assurance  procedures  being 
used,  and  we  chose  a  variety  of  audits  to  ensure  we  reviewed  multiple  types  of  projects. 

The  following  table  identifies  the  specific  reports  reviewed.  The  Type  of  Review  column 
contains  information  that  was  detennined  by  the  report  GAGAS  compliance  statement 
and/or  type  of  review  described  in  the  final  report. 
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Report  Number 

Report  Title  and 

Issue  Date 

Type  of  Review 

DeCA  IR  11-04 

Review  of  Wrongfully 
Tenninated  Associate’s 
Medical  Expenses,  May  2, 
2011 

Perfonnance 

DeCA  IR  11-01 

Value  of  the  Commissary 
Benefit  Study,  January  6, 
2011 

Performance* 

DeCA  IR  10-09 

Front-End  Operations  Fraud 
Indicators,  November  15, 
2010 

Perfonnance 

DeCA  IR  10-07 

Equipment  Installation  on 
New  Construction, 
Additions  and  Alterations, 
July  30,  2010 

Perfonnance 

*Nonaudit  service  incorrectly  classified  as  a  performance  audit. 


Limitations  of  Review.  Our  review  would  not  necessarily  disclose  all  weaknesses  in  the 
system  of  quality  control  or  all  instances  of  noncompliance  because  we  based  our  review 
on  selective  tests.  There  are  inherent  limitations  in  considering  the  potential 
effectiveness  of  any  quality  control  system.  In  perfonning  most  control  procedures, 
departures  can  result  from  misunderstanding  of  instructions,  mistakes  of  judgment, 
carelessness,  or  other  human  factors.  Projecting  any  evaluation  of  a  quality  control 
system  into  the  future  is  subject  to  the  risk  that  one  or  more  procedures  may  become 
inadequate  because  conditions  may  change  or  the  degree  of  compliance  with  procedures 
may  deteriorate. 
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Defense  Commissary  Agency,  Headquarters 
Comments 


DEFENSE  COMMISSARY  AGENCY 

HEADQUARTERS 
1 300  E  AVENUE 

FORT  LEE.  VIRGINIA  238011800 


August  21.  2012 

cc 

MEMORANDUM  FOR  DEPARTMENT  OF  DEFENSE  OFFICE  OF  INSPECTOR  GENERAL 
(ATTN:  ASSISTANT  INSPECTOR  GENERAL,  AUDIT  POLICY 
AND  OVERSIGHT) 

SUBJECT:  Quality  Control  Review  of  the  Defease  Commissary  Agency  Internal  Audit 
Functions,  Project  No.  D201 1-DIP0AI-0268.000 

We  concur  with  all  recommendations  addressed  in  DoDIG  draft  report  on  the  “Quality 
Control  Review  of  DeCA’s  Internal  Audit  Functions.”  As  a  result  of  your  review  and  noted 
deficiencies,  the  following  corrective  and  ongoing  actions  arc  provided  in  accordance  with 
Generally  Accepted  Government  Auditing  Standards  (GAGAS),  as  stated  in  the  December  2011 
Revision  of  the  Government  Accountability  Office  (GAO)  Yellow  Book. 

In  concurring  with  the  recommendation  concerning  the  Quality  Control  System, 
corrective  actions  have  been  taken  by  updating  DeCA’s  Internal  Audit  Manual  (DeCAM  90-5.1). 
The  manual  has  been  revised  to  include  the  independence,  professional  judgment,  competence, 
and  quality  control  and  assurance  standards,  as  addressed  in  the  GAO  Yellow  Book,  chapter  3. 
Guidance  on  the  performance  of  nonaudit  services  has  been  included  in  the  manual  as  well. 
Continued  revisions  to  the  manual  are  expected  due  to  a  recent  DeCA  reorganization. 

In  concurring  with  the  recommendation  concerning  Independence,  we  have  made 
revisions  to  DeCAM  90-5. 1  which  include  guidance  on  documenting  organizational 
independence  when  performing  nonaudit  services.  In  addition,  a  nonaudit  service  statement  has 
been  created  for  auditors  to  complete  and  file  in  TeamMate  Electronic  Working  Paper. 

In  concurring  with  the  recommendation  concerning  Audit  Planning,  we  have 
implemented  mandatory  steps  in  TeamMate  for  use  during  the  planning  phase  to  evaluate  audit 
risk,  fraud  risk,  and  internal  controls  relevant  to  the  audit  objective.  These  steps  are  performed 
in  accordance  with  GAGAS  standards  as  stated  in  the  GAO  Yellow  Book. 

In  concurring  with  the  recommendation  concerning  Audit  Documentation,  the  Internal 
Audit  staff  has  completed  training  on  audit  documentation,  cross  referencing,  and  the  use  of 
TeamMate,  thus  improving  working  paper  documentation  and  oversight. 

Please  address  additional  concerns  to  Mr.  Keith  Owens,  Inspector  General,  at 
804.734.8000,  extension  8.6295,  or  keith.owens@deca.mil. 


Director 


ommissary  ...  It's  Worth  the  Trip! 
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